metasploit | bf1d51d0010255cf65f472e4b694835f0b9535c2c60893793b3cbcb03cb5ccf9

Analysis

max time kernel
105s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_f2a6edc074f432a36432fb4f6cce6f88_icedid.exe
Size

6.3MB
MD5

f2a6edc074f432a36432fb4f6cce6f88
SHA1

df9232bdfa7cd10bd399e41fb99ff6bf6d18583c
SHA256

bf1d51d0010255cf65f472e4b694835f0b9535c2c60893793b3cbcb03cb5ccf9
SHA512

763ba4ede0453180c4cc3a63ed41f29ebed5ce9f5e0743d5cf78eae83e40553b858dd6d0b882b0229a220f93efd271e17cb1c828cf58ad0c8fb6d9ce792a3a5c
SSDEEP

98304:5qJbc5xtz+kl/m5aifMc/PKkuExnaZ/l+7Y1rtJKCg8:UJk+y/m0ifVKkbaZ/l+7Y1rtECg8

Score

10^/10

metasploit backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

106.55.7.254:11112

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
4184	geek64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1532	2024-03-28_f2a6edc074f432a36432fb4f6cce6f88_icedid.exe
4184	geek64.exe
4184	geek64.exe
4184	geek64.exe
4184	geek64.exe
4184	geek64.exe
4184	geek64.exe
4184	geek64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4184	1532	2024-03-28_f2a6edc074f432a36432fb4f6cce6f88_icedid.exe	86
PID 1532 wrote to memory of 4184	1532	2024-03-28_f2a6edc074f432a36432fb4f6cce6f88_icedid.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-03-28_f2a6edc074f432a36432fb4f6cce6f88_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_f2a6edc074f432a36432fb4f6cce6f88_icedid.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\geek64.exe
  C:\Users\Admin\AppData\Local\Temp\geek64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\geek64.exe

Filesize
3.5MB

MD5
2062e8118cf10d1fba19a80a885c80f0

SHA1
7e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8

SHA256
316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057

SHA512
684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2

Download Submit
memory/1532-0-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1532-15-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download